Outside of the normal security stuff from Dark Reading I came across an article on Security Certifications. I’ve had some great conversations with different risk and security individuals on this topic and while most agree that it shows you’re competent in the discipline it also has a dark side. A side that hopefully the security certifications are not heading toward but I’ve seen evidence to the contrary. I’ll keep from naming certs that, in my estimation, are being abused or at the very least misrepresented by some who have them but I’m fairly confident that you know what certifications.
REWIND… back to the late 90’s early 2k’s. Radio ads blasting about the shortage of IT professionals an the promise of a great salary after you obtain the latest and hottest certifications. Take the test online to see if you have the aptitude and ability to get yours in 6 months! What certification can you earn? MCSE (Microsoft Certified System Engineer), CNA (Certified Novell Administrator), CCNA (Cisco Certified Network Administrator) among other top tier certifications…
Listener1: Wow! I can become certified in less than 6 months and they guarantee that I’ll pass!
Listener2: And we can start making real money!!!! Did you hear that? Companies are paying more than 60k for someone with those!!!!
Listener1: Yeah, let’s go and blow the 7k it’s gonna cost us to get certified! We’ll be able to pay back the loan in no time once we get the job.
REALITY… The market became flooded with these paper tigers who had no practical experience but they had a certification! Like any good multi-level marketing scheme those who got in first realized the gain and got out while the rest rode out the trend without no realization on the salary claims being made. Wah, wah, wahhhhhhh….. Thanks for playing!!! I saw that time and time again with these guys coming in and not even being able to perform basic troubleshooting because it wasn’t something they learned how to fix or do in their class. Or better yet, I’ve got some idiot telling me that what I’m doing is wrong, even if it corrects their mistake! Sounds to me like the certification mills have churned out a true disparity of certified to practical skills. I haven’t heard much about those lately, maybe my economics class was correct in saying the market will correct itself!
I’m not against certification at all. I have a few myself, but they are in things that I actually have experience in that is backed up by my resume and a list of people that are willing to provide recommendations. I also, don’t have any issue with the testing centers. My issue is in how they’re marketing their services for certifications. There are many which are reputable and have been used for those in the field who are looking to expand their repertoire. My fear is that we have people with security certifications, because they’re the hottest, most sexy thing on the market that will make them beau-coup greenbacks. In reality, all it is doing is detracting from the legitimate security professionals who’ve put the time into the profession and realize that the certifications are just another step in their career and not just a payday. It’s also potentially promoting a false sense of comfort that the individual a company is hiring is fully competent. To me this is the most disturbing part is we’ve not got people proselytizing security and not being able to practically help protect the company that’s hired them. How many times have we been in meetings where a self-professed, certified, security guy starts spouting off “we need to secure…”, “if we don’t we’ll be hacked” and other self serving comments to instill FUD in those in the meeting. In my mind, not only did they diminish the certification but they made the rest of us look like a bunch of Chicken Little’s. Why? Because they used emotion and passion to invoke a response from something they’ve read about rather than having the practical experience and data to back up the request or argument.
So you’re probably asking well what certifications would I select and why. Here’ a small subset of my list:
- If you’re going to be in Management then the CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager) are good. As a bit of a disclaimer, do not expect someone with a CISSP to be extremely technical. The CISM is a bit more technically focused but not as in-depth technically as it could be. Again, from the Management perspective I would expect a Manager to have one of these as the breadth of knowledge is required versus a certification that is more technically focused.
- If you’re going to be a security assessment/pentester type, again this is my opinion, the OSCP (Offensive Security Certified Professional) is one of the more technically in-depth certifications. Based on my experiences with those who have this certification, they really know how to get in and perform manual and tool based pentesting. After learning that Dave Kennedy (ReL1k) has even gone through the testing has put the Offensive Security certifications even higher on my legitimacy radar.
- There are also vendor certifications like Cisco’s which I think are valid but for my own path more of a way to get deeper into their technology.
I’ve ranted enough on this for the evening…. Paper tigers are a pet peeve and only serve to over saturate an already tough profession with their inexperience and inability to provide solid recommendations that actually make a company more secure.
Oddjob, grab your bowler and sharpen the new ceramic blade we bought… Time to go hunting!
Leave a comment
No comments yet.
Bond Must Die!! 
Leave a Reply